The Hacker News — Cyber Security, Hacking, Technology News

The massive data breach that Yahoo! confirmed to the world last week is claimed by the company to have been carried out by a "state-sponsored actor" in 2014, which exposed the accounts of at least 500 Million Yahoo users.

But, now it seems that Yahoo has downplayed a mega data breach and trying to hide it's own security blunder.

Recently the information security firm InfoArmor that analyzed the data breach refuted the Yahoo's claim, stating that the data breach was the work of seasoned cyber criminals who later sold the compromised Yahoo accounts to an Eastern European nation-state.

Over 1 Billion Accounts May Have Been Hacked

Now, there's one more twist in the unprecedented data heist.

A recent advancement in the report indicates that the number of affected Yahoo accounts may be between 1 Billion and 3 Billion.

An unnamed, former Yahoo executive who is familiar with the company's security says that the Yahoo's back-end system's architecture is designed in such a way that all of its products use one main user database (UDB) to authenticate users, Business Insider reported Friday.

So all usernames and passwords that users enter to log into services like Yahoo Mail, Sports or Finance goes to this one central database to ensure they are valid, allowing them access.

This central database is what got compromised, and therefore, it's quite difficult to believe that the hackers who compromised the whole database walk away with just a small bunch of "the core crown jewels of Yahoo customer credentials."

Whoever carried out the hack not only stole usernames and email addresses of affected users but also pilfered other personal information, including their dates of birth, phone numbers, hashed passwords, and unencrypted security answers.

So, it's unclear how Yahoo come up with the 500 Million number.

The company had not commented further on how the data breach happened or when it was discovered, citing an active investigation.

Yahoo! could have saved you, but decided not to:

A lengthy report published by the New York Times seemingly explains that the company did not reset the passwords of its users after the breach due to the decisions made by Yahoo's CEO Marissa Mayer, who seemed to prioritize developing new products over making security improvements.

The reason sounds stupid, as the article reads:

"The 'Paranoids,' the internal name for Yahoo's security team, often clashed with other parts of the business over security costs. And their requests were often overridden because of concerns that the inconvenience of added protection would make people stop using the company's products."

If Yahoo had reset the passwords of its affected users, proper security measures would have been taken by users to protect their personal data from hackers.

Let's see what new advancements come to this unprecedented data breach.

Already, the Yahoo hack is believed to be one of the biggest in history, and the company is still trying to negotiate a deal to sell its core business to Verizon for $4.8 Billion.

Yahoo! has yet to respond to the recent revelation by the insider.

Data breach news has already magnified company's problems, but if breach number reaches Billion, would the company be able to save its acquisition deal?

That's more than seven times what Apple is offering (up to $200,000) for iOS zero-days via its private, invite-only bug bounty program.

Zerodium, a startup by the infamous French-based company Vupen that buys and sells zero-day exploits to government agencies around the world, previously offered US$500,000 for remote iOS 9 jailbreaks, which was temporarily increased to $1 Million for a competition help by the company last year.

The company paid out $1 million contest reward for the first three iOS 9 zero-days in November to an unnamed hacker group, then lowered the price again to $500,000.

With the recent release of iOS 10, Zerodium has agreed to pay $1.5 Million to anyone who can pull off a remote jailbreak of the Apple's latest mobile operating system, allowing a full third-party control over the device.

The company has also doubled its bug bounty for Android 7.x (Nougat) remote jailbreaks to $200,000 as well as boosted rewards for exploits in other software, including Adobe Flash, Microsoft Internet Explorer and Edge, Windows Reader, Microsoft Word and Excel, Safari, and OpenSSL or PHP.

The hike in the price is in line with demand and the tougher security of the latest iOS and Android operating systems, and to attract more researchers, hackers and bug hunters to seek complex exploit chains in iOS 10.

To claim the prize money, Zerodium is asking for a previously unknown security vulnerabilities that must allow an attacker to compromise a non-jailbroken iOS device remotely.

Zerodium CEO Chaouki Bekrar notes on Twitter that the company is prepared to buy multiple iOS zero-day hacks at that price, saying "We can afford to buy multiple iOS exploit chains for $1.5M each."

Hackers will get the payout within a week of submitting the zero-day vulnerabilities along with a valid working proof-of-concept.

One of the FBI's Most Wanted Hackers who was arrested in Germany earlier this year has pleaded guilty to federal charges for his role in a scheme that hacked computers and targeted the US government, foreign governments, and multiple US media outlets.

Peter Romar, 37, pleaded guilty Wednesday in a federal court in Alexandria to felony charges of conspiring to receive extortion proceeds and to illegally access computers in his role as a member of the infamous hacking group calling itself the Syrian Electronic Army (SEA), the Department of Justice (DoJ) announced.

Romar was previously extradited from Germany on request of the United States.

"Cybercriminals cannot hide from justice," said U.S. Attorney Dana J. Boente for the Eastern District of Virginia. "No matter where they are in the world, the United States will vigorously pursue those who commit crimes against U.S. citizens and hold them accountable for their actions."

In March, the US charged three men it believed were involved in cyber-attacks carried out the Syrian Electronic Army. Romar was already arrested while the other two - Ahmad Umar Agha (aka The Pro), 22 and Firas Dardar (aka The Shadow), 27 - were believed to be in Syria.

The FBI has also offered a reward of $100,000 for any information that leads to the arrest of Agha and Dardar, who were allegedly involved in hacking Associated Press Twitter account in April 2013 and spreading a false rumor claiming that the White House had been bombed, injuring President Obama, which caused a temporary stock market dip.

All three SEA hackers were allegedly engaged in a long-running cyber-propaganda campaign in support of the Syrian President Bashar al‑Assad.

The group used "spear-phishing" tactics to target computer systems of the US government, foreign organizations, media outlets and other private-sector entities that the SEA deemed as having been antagonistic toward the Syrian Government.

Dardar and Romar are accused of hacking into the computer systems of businesses for their personal profit. They hacked into victims' computers and then threaten them to damage computers, and delete/sell the data unless they were paid a ransom.

"If a victim could not make extortion payments to the conspiracy's Syrian bank accounts due to sanctions targeting Syria, Romar acted as an intermediary in Germany to evade those sanctions," the DoJ said.

Romar faces up to 5 years in prison and is scheduled to be sentenced on 21st October, while co-defendant Dardar still remains at large and is believed to be in Syria.

If successfully exploited, these vulnerabilities could allow attackers to remotely hijack and control your router, as well as network, leaving all connected devices vulnerable to man-in-the-middle and DNS poisoning attacks.

Moreover, your hacked router can be easily abused by cybercriminals to launch massive Distributed Denial of Service (DDoS) attacks, as the Internet has recently witnessed record-breaking 1 Tbps DDoS attack that was launched using more than 150,000 hacked Internet-connected smart devices.

Security researcher Pierre Kim has discovered multiple vulnerabilities in the D-Link DWR-932B router that's available in several countries to provide the Internet with an LTE network.

Telnet and SSH Backdoor Accounts

While penetration testing, the researcher found that D-Link wireless router has Telnet and SSH services running by default, with two hard-coded secret accounts (admin:admin and root:1234).

Hackers can simply need these credentials to gain access to vulnerable routers from a command-line shell, allowing them to perform man-in-the-middle attacks, monitor Internet traffic, run malicious scripts and change router settings.

Another Backdoor

If this isn’t enough, D-Link DWR-932B LTE router has another secret backdoor that can be exploited by only sending "HELODBG" string as a secret hard-coded command to UDP port 39889, which in return launch Telnet as root privileges without any authentication.

Vulnerable WPS System

Default WPS PIN:

You might have seen a small push button on your router, labeled WPS, stands for Wi-Fi Protected Setup, a 'so-called' security feature that allows anyone to connect to your wireless network with a PIN, instead of your actual Wi-Fi password.

Bingo! The PIN for the WPS system on D-Link routers is '28296607,' which is hard-coded in the /bin/appmgr program.

Weak WPS PIN Generation:

Users can also temporary generate a new WPS PIN using router's administrative web-interface, but unfortunately, the PIN generation algorithm is flawed and so weak that an attacker can easily predict it.

Remote Firmware-Over-The-Air

Now, if you hope that a firmware upgrade will land soon and save you from these issues, then you are wrong.

It's because the D-Link's remote firmware over-the-air (FOTA) update mechanism is also vulnerable.

The credentials to contact the FOTA server are hard coded in the /sbin/fotad binary. The user/password combinations are qdpc:qdpc, qdpe:qdpe and qdp:qdp.

"It's notable the FOTA daemon tries to retrieve the firmware over HTTPS. But at the date of the writing, the SSL certificate for https://qdp:qdp@fotatest.qmitw.com/qdh/ispname/2031/appliance.xml is invalid for 1.5 years," Kim writes.

Security Removed in UPnP

Due to the security risks involved, there are usually restrictions in place in order to avoid modified new firewall rules from untrusted LAN clients.

However, there is no restriction about the UPnP permission rules in the configuration file for the vulnerable D-Link router, allowing anyone on the LAN to add their own Port forwarding rules from the Internet to other clients located in the LAN.

"An attacker can add a forwarding rule in order to allow traffic from the Internet to local Exchange servers, mail servers, ftp servers, http servers, database servers," Kim writes. "In fact, this lack of security allows a local user to forward whatever they want from the Internet into the LAN."

There are more security issues surrounding the vulnerable router, but Kim points out that the router with a big processor, sizable memory (168 MB) and good free space (235 MB) is so badly secured that it would be trivial for attackers to use this router as an attack vector.

Kim privately reported the security flaws to the Taiwan-based networking equipment manufacturer D-Link in June and received no update from the company. So, he went public with details of the vulnerabilities after obtaining CERT's advice.

Today, most users surf the web unaware of the fact that websites collect their data and track their locations – and if this is not enough, then there are hackers and cyber criminals who can easily steal sensitive data from the ill-equipped.

In short, the simple truth is that you have no or very little privacy when you're online.

So, if you're worried about identity thieves, or ISPs spying on or throttling your traffic, the most efficient way to secure your privacy on the Internet is to avoid using public networks; use a Virtual Private Network (VPN) instead.

When it comes to digital security, the first thing most users probably think of is a good Antivirus for protecting their sensitive data on their systems. But, what they forget is that the data they send over the Internet needs protection, too.

That's where Virtual Private Network (VPN) services come in.

VPN allows you to access a private network securely and to share data remotely through public networks, protecting your data online – much like a firewall protects your data on your computer.

The most important thing about a VPN is that it secures your internet connection to guarantee that all of the data you are sending as well as receiving is encrypted and secured from ISPs, hackers, and prying eyes.

It's because VPN works by overlaying a private network on top of a public network, effectively encrypting all the data that passes through the networks.

Since VPNs use a combination of dedicated connections and encryption protocols to generate virtual Peer-to-Peer (P2P) connections, even if snoopers did manage to steal some of the transmitted data, they would be unable to access it.

What's more, VPN makes sure that your real identity remains anonymous on the Internet so that no one can track the origin of your Internet connection back to you.

So, if you are worried about online safety and have not thought about getting a VPN, it might be time to use one. But, the real question here is:

Which VPN Service is the best that would take care of my security and anonymity seriously?

Many companies are providing VPN services, but not all are same. Some VPN services log all your browsing activities that nullify the point of using a VPN for privacy.

The best VPNs are the ones that do not keep logs or records of your browsing history and protect your anonymity, while offering a solid balance of features, server location, connectivity protocols, and price.

I came across some reputed VPN services, but they resolved few issues, and some addressed several issues but cost too expensive.

But, then I found NordVPN, the Panama-based company that has been providing advanced VPN services since 2012.

While reviewing, I found that NordVPN offers some good features, when it comes to privacy and security, though it might not be the fastest VPN service.

First and foremost, NordVPN is for those privacy-conscious users who prefer strong online anonymity at a very affordable price.

1. No Logging

The company has a "strict no-logs policy when it comes to seeing user activity online."

On logging, NordVPN clearly explained that it makes its user's traffic "invisible to governments, ISPs, third party snoopers and even NordVPN.com" itself.

2. Headquartered Outside the US and EU

NordVPN is headquartered in the Central American country of Panama, but why does this matter?

NordVPN servers are operated under the jurisdiction of Panama – a country that doesn't require Internet service providers to monitor user traffic, so the company is "empowered to deny any third-party requests."

3. Double VPN System

A unique feature that NordVPN offers is its two-stage data encryption through its DoubleVPN service.

When using this service, user's data is passed through two separate VPN servers, which encrypt the data with AES-256-CBC cipher twice over using different keys as it leaves each server.

Re-encrypting the data twice will indeed make NordVPN more secure, which would make tracking an internet user more difficult.

4. Dedicated Tor-over-VPN Servers (for Maximum Anonymity)

Tor has become increasingly popular after Edward Snowden revelations about NSA's global surveillance programs.Tor is a great anonymity tool, but it also has certain downsides, like being a constant surveillance program target.

For those looking to get another layer of security protection, NordVPN is providing Tor-over- VPN server that encrypts your traffic before entering Tor network, making it even harder to trace back to the source.

Although Tor over VPN is only User → VPN → Tor → Internet, so your actual IP address is not masked from NordVPN. Much more useful would be a User → Tor → VPN → Internet kind of service that allows users to hide their true IP address from even the VPN provider.

Also, Tor is notoriously slow, which makes Tor-Over-VPN NordVPN servers slow in performance, but it would be unfair to judge something on factors beyond its control.

You can try the DoubleVPN with Tor-over-VPN for double-encrypted, multi-hop, maximum protection of your data. Isn't that cool?

5. Strong Encryption (2048-bit SSL for OpenVPN)

To protect your traffic from eavesdropping, NordVPN supports many different VPN security protocols, including OpenVPN, SSTP, PPTP, L2TP/IPsec and IKEv2/IPsec.

NordVPN for Windows, Linux or Mac OS allow users to manually choose between these encryption methods, while NordVPN custom apps for Windows, iOS, Mac OS and Android, have OpenVPN or IKEv2/IPsec protocols set by default, both open source, offering robust 2048 bit / 3072 bit encryption.

6. Automatic Kill-Switch

Besides its VPN services, NordVPN also offers a Kill Switch feature, which is a must-have for anyone who is genuinely concerned about security.

When configured, this feature constantly monitors the traffic between your selected applications or processes and the VPN servers.

If your VPN connection is interrupted or the data is broken at any point or for any reason, Kill Switch will automatically activate and immediately cut those apps or processes.

This is great, as it ensures that no unsecured data sneaks out.

7. Performance and Support (Hundreds Of Servers WorldWide)

Currently, the company has NordVPN apps for MAC OS, iOS, Windows, and Android.

NordVPN also supports Linux, but not Windows phone.

Users can even run NordVPN on game consoles and some network devices like routers.

In terms of speed, NordVPN provides consistent performance with several numbers of servers providing a satisfying rate.

NordVPN offer servers that are customized for specific types of online access, such as high-speed servers for video streaming, Anti-DDoS servers for protection from denial of service attacks, and extra-secure servers for enhanced anonymity online.

Conclusion: NordVPN offers a solid suite of security and privacy features, with a wide choice of locations, clear logging policy, and good performance, in an easy-to-use package at a very reasonable price.

It's a smart choice and certainly should be on your shortlist. NordVPN provides different packages, from which you can choose one according to your requirement.

VPNs have now become a great tool not just for large companies, but also for individuals to improve their privacy and security online, dodge content restrictions and counter growing threat of cyber attacks.

Doing conversations with your friend on iMessage and thinking that they are safe and out of reach from anyone else other than you and your friend? No, it's not.

End-to-end encryption doesn't mean that your iMessages are secure enough to hide your trace because Apple not only stores a lot of information about your iMessages that could reveal your contacts and location, but even share that information with law enforcement via court orders.

According to a new document obtained by The Intercept, Apple records a log of which phone numbers you typed into their iPhone for a message conversation, along with the date and time when you entered those numbers as well as your IP address, which could be used to identify your location.

Actually, every time a user type a phone number into their iPhone for a message conversation, iMessage contacts Apple servers to find out whether to route a given message over the iMessage system.

"Apple records each query in which your phone calls home to see who's in the iMessage system and who's not," The Intercept reports.

Moreover, the company is compelled to turn over this information to law enforcement with a valid court order — generally "pen registers" or "tap and trace devices" warrants that are very easy to obtain.

Pen register warrants are routinely being used to compel telephone companies to provide metadata about customers' phone calls to law enforcement.

Apple Logs Your IP Address (Location)

But it’s surprising that Apple, which has positioned itself as a staunch defender of its user privacy by refusing the federal officials to provide encryption backdoors into its products, hands over its users' information on iMessage contacts under such warrants.

The report also points out that keeping logs of users IP address that could be used to reveal one’s actual location is contrary to Apple's 2013 claim that the company "do not store data related to customers' location."

The Intercept obtained the document, titled 'iMessage FAQ for Law Enforcement,' about Apple's iMessage logs as part of a much larger cache originating from within a state police agency, "The Florida Department of Law Enforcement's Electronic Surveillance Support Team."

The team facilitates mass data collection for law enforcement using controversial tools such as Stingrays, along with the help of conventional techniques like pen registers and tap and trace devices warrants.

Although your iMessages are end-to-end encrypted, it doesn’t mean that all Apple users are enjoying the company's so-called privacy benefit.

If you have enabled iCloud Backup on your Apple devices to keep a backup of your data, the copies of all your messages, photographs and every important data stored on your device, are encrypted on iCloud using a key controlled by Apple, and not you.

Even if you trust the company that it won't provide your decrypted data to law enforcement (just don't forget San Bernardino case in which Apple helped the FBI with the iCloud backup of the Shooter's iPhone), anyone who breaks into your iCloud account could see your personal and confidential data.

Apple deliberately Weakens Backup Encryption

Fortunately, it is possible to store your backups locally through iTunes, though it is not such an obvious choice for an average user.

What's even worse is that a recent issue in the local password-protected iTunes backups affects the encryption strength for backups of devices on iOS 10, allowing attackers to brute-force the password for a user's local backup 2,500 faster than was possible on iOS 9.

Apple has already confirmed that the issue exists and that a fix would be included in an upcoming update.

However, in response to the latest report about iMessage logs, Apple provided the following statement:

"When law enforcement presents us with a valid subpoena or court order, we provide the requested information if it is in our possession. Because iMessage is encrypted end-to-end, we do not have access to the contents of those communications. In some cases, we are able to provide data from server logs that are generated from customers accessing certain apps on their devices. We work closely with law enforcement to help them understand what we can provide and make clear these query logs don’t contain the contents of conversations or prove that any communication actually took place."

The Florida Department of Law Enforcement still has to comment on the matter.

Do you know — Your Smart Devices may have inadvertently participated in a record-breaking largest cyber attack that Internet has just witnessed.

If you own a smart device like Internet-connected televisions, cars, refrigerators or thermostats, you might already be part of a botnet of millions of infected devices that was used to launch the biggest DDoS attack known to date, with peaks of over 1 Tbps of traffic.

France-based hosting provider OVH was the victim to the record-breaking Distributed Denial of Service (DDoS) attacks that reached over one terabit per second (1 Tbps) over the past week.

As the Internet of Things (IoT) or connected devices are growing at a great pace, they continue to widen the attack surface at the same time, giving attackers a large number of entry points to affect you some or the other way.

1 Tbps DDoS Attack Hits OVH

IoTs are currently being deployed in a large variety of devices throughout your home, businesses, hospitals, and even entire cities (Smart Cities), but they are routinely being hacked and used as weapons in cyber attacks due to lack of stringent security measures and insecure encryption mechanisms.

IoT-powered DDoS attacks have now reached an unprecedented size, as it is too easy for hackers to gain control of poorly configured, or vulnerable, IoT devices.

Late last year, we reported that lazy manufacturers of the IoTs and home routers are reusing the same set of hard-coded SSH (Secure Shell) cryptographic keys, leaving millions of embedded devices, including home routers, modems, and IP cameras open to Hijacking.

And the worst part:

These insecure IoT or internet-connected devices are no longer in line for security updates, which makes it possible for hackers to hijack these connected devices today or tomorrow.

OSquery, an open-source framework created by Facebook that allows organizations to look for potential malware or malicious activity on their networks, was available for Mac OS X and Linux environments until today.

When Facebook engineers want to monitor thousands of Apple Mac laptops across their organization, they use their own untraditional security tool called OSquery.

OSquery is a smart piece of cross-platform software that scans every single computer on an infrastructure and catalogs every aspect of it.

Then SQL-based queries allow developers and security teams to monitor low-level functions in real-time and quickly search for malicious behavior and vulnerable applications on their infrastructure.

In simple words, OSquery allows an organization to treat its infrastructure as a database, turning OS information into a format that can be queried using SQL-like statements.

This functionality is critical for administrators to perform incident response, diagnose systems and network level problems, help to troubleshoot performance issues, and more.

This open source endpoint security tool has become one of the most popular security projects on GitHub since its release in mid-2014 and was available for Linux distribution such as Ubuntu or CentOS, and Mac OS X machines.

So, if your organization was running a Windows environment, you were out of luck.

But, not today, as with the help of Trail of Bits, Facebook has finally launched the OSquery developer kit for Windows, allowing security teams to build customized solutions for their Windows networks.

"As adoption for osquery grew, a strong and active community emerged in support of a more open approach to security," reads the earlier version of Facebook's blog post provided to The Hacker News.

"We saw the long-held misconception of 'security by obscurity' fall away as people started sharing tooling and experiences with other members of the community. Our initial release of osquery was supported for Linux and OS X, but the community was also excited for a Windows version — so we set out to build it."

To get started with the OSquery developer kit for Windows, check this official documentation, the development environment, and a single script. The build is easy to install, and you can start coding right away.

You can read the full documentation of the development process of the OSquery developer kit for Windows on the blog post by Trail of Bits.

Just last month, the most popular messaging app WhatsApp updated its privacy policy and T&Cs to start sharing its user data with its parent company, and now both the companies are in trouble, at least in Germany and India.

Both Facebook, as well as WhatsApp, have been told to immediately stop collecting and storing data on roughly 35 Million WhatsApp users in Germany.

The Hamburg Commissioner for Data Protection and Freedom of Information Johannes Caspar even ordered Facebook on Tuesday to delete all data that has already been forwarded to WhatsApp since August.

Also in India, the Delhi High Court on September 23 ordered WhatsApp to delete all users’ data from its servers up until September 25 when the company’s new privacy policy came into effect.

When Facebook first acquired WhatsApp for $19 billion in cash in 2014, WhatsApp made a promise that its users’ data would not be shared between both companies.

But now apparently this has changed, which, according to Caspar, is not only "misleading" for their users and public, but also "constitutes an infringement of national data protection law" in Germany.

"Such an exchange is only admissible if both companies, the one that provides the data (WhatsApp) as well as the receiving company (Facebook) have established a legal basis for doing so." the press release [PDF] from the Commission reads.

"Facebook, however, neither has obtained an effective approval from the WhatsApp users nor does a legal basis for the data reception exist."

Apparently, the new measure was taken by the companies in favor of more targeted advertising on the largest social network and to fight spam.

In response to the privacy watchdog’s decision, Facebook released a statement that it complied with EU data protection law, saying: "We are open to working with the Hamburg DPA in an effort to address their questions and resolve any concerns."

According to the watchdog, since Facebook and WhatsApp are independent companies, they should process their users' data based on their own terms and conditions as well as data privacy policies.

However, WhatsApp users need not to worry about the content of their WhatsApp messages, like chats and images, as they are end-to-end encrypted, which means even the company cannot read them.

The company has been working to merge the two OSes for roughly 3 years with a release planned for 2017, but an "early version" to show things off to the world in 2016.

Android + Chrome = Andromeda

The hybrid OS, currently nicknamed 'Andromeda,' could be come on a new Pixel laptop as well as Huawei Nexus tablet from Google by Q3 2017, if not sooner, according to new leaks from 9to5Google and Android Police.

Android + Chrome = Andromeda

The laptop, officially codenamed "Bison" and nicknamed "Pixel 3," is a reference to the "Chromebook Pixel," but since this edition is not running Chrome operating system, one can not call it a "Chromebook" anymore.

Andromeda is separate from the company's Fuchsia OS, which is focused on Internet-of-Thing (IoT) devices. Moreover, the report also makes it clear that Andromeda "is [an entirely] distinct effort from Google's current campaign to bring Android apps to Chromebooks." So, don't get confused.

Rumored specs suggest Bison is expected to pack a 12.3-inch display with a 'tablet' mode and stylus and reportedly powered by an Intel M3 processor like Apple's 12-inch MacBook, or an Intel Core i5.

Bison is expected to have two models with 32GB or 128GB of internal storage, and 8GB or 16GB of RAM.

Other features could include two USB-C ports, a 3.5mm headphone jack, a fingerprint scanner, stereo speakers, a backlit keyboard, quad microphones, a glass trackpad, and a battery that lasts around 10 hours.

For more details about the new hybrid operating system, you need to wait for two more weeks for Google's October 4 event that is set to launch a Google's new hardware product line, including "Google Wi-Fi" router, Google Home, the refreshed 4K-capable Chromecast rumored to be called Chromecast Ultra, and a "Daydream" VR headset.

A computer hacker who allegedly helped the terrorist organization ISIS by handing over data for 1,351 US government and military personnel has been sentenced to 20 years in a U.S. prison.

Ardit Ferizi, aka Th3Dir3ctorY, from Kosovo was sentenced in federal court in Alexandria, for "providing material support to the Islamic State of Iraq and the Levant (ISIL) and accessing a protected computer without authorization and obtaining information in order to provide material support to ISIL," the Department of Justice announced on Friday.

The 21-year-old ISIS-linked hacker obtained the data by hacking into the US web hosting company's servers on June 13, 2015.

Ferizi then filtered out over 1,300 US military and government employees' information from the stolen data and then handed them over to Junaid Hussain, according to court filings [PDF].

The stolen data contains personally identifiable information (PII), which includes names, email addresses, passwords, locations and phone numbers of US military service members and government workers.

Junaid Hussain, who was a British jihadi and believed to be the then leader and creator of a group of ISIS hackers called the Islamic State Hacking Division (ISHD), posted the names and personal data of 100 US service member's families online.

The Hussain's statements included:

"We are in your emails and computer systems, watching and recording your every move, we have your names and addresses, we are in your emails and social media accounts, we are extracting confidential data and passing on your personal information to the soldiers of the Khilafah, who soon with the permission of Allah will strike at your necks in your own lands!"

Hussain, who was also known as Abu Hussain Al-Britani and used the moniker TriCk, was later killed in a US drone strike in Syria in August last year.

The US authorities also tracked down Ferizi to Malaysia, where he was arrested by the local authorities on October 6, 2015, while trying to catch a flight back to Kosovo.

Before helping ISIS, Ferizi had served as an alleged leader of the Kosova Hacker's Security (KHS) hacking group and hacked into a number of government sites belonging to the Presidency of Macedonia, the Greek Ministry of Education, the Greek Decentralized Administration of Macedonia and Thrace (DAMT), Lifelong Learning and Religion. He also stole data from IBM and Greek mobile telecoms firm OTE.

Ferizi was pleaded guilty on June 15, 2016, and faced a sentence of up to 35 years in prison, but the sentence was reduced to a maximum of 25 years after agreeing to plead guilty. However, defense lawyers said he meant no real harm and asked for a six-year sentence.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

Can you rely on a single loudspeaker in your living room for great sound throughout your home?

Nah!

In the same way, you can not expect a single WiFi router to provide stable range throughout your home.

To solve this issue, Google will soon power your home's wireless internet network with its own-brand new WiFi router called Google WiFi, according to a new report.

Google is set to launch a lot of new gadgets at its hardware event on October 4 including the new Pixel smartphones, Google Home, the refreshed 4K-capable Chromecast rumored to be called Chromecast Ultra and the new Google WiFi router.

But the Google WiFi router might be the biggest surprise of the bunch.

Google WiFi is said to be designed in such a way that it can be deployed in groups to create a mesh network so that multiple units can be linked together, similar to Eero's incredible router, according to a report from Android Police.

With Google WiFi, you simply need to plug one device into your modem, and other routers placed in different rooms will automatically connect to each other to create a single big wireless mesh network that covers every corner of your home.

Google WiFi will cost you $129 (INR 8600) each, according to the report.

The router is apparently going to have the same selling points as Google's OnHub router, including better range than most everyday routers and a slew of "smart" features.

Only the one significant advantage over OnHub is that Google WiFi will offer the ability to link several routers together to create one big wireless network.

According to a separate report from DroidLife, each Google WiFi unit will have dual-band antennas with two ports, 802.15.4 radios, AC1200 speeds, and Bluetooth. The setup process of the router is expected to be simplified so that it is ready to use in minutes.

Google did not yet comment on the matter. For details about the device, you need to wait for two more weeks.

Even at that point the company hired one of the key developers of Signal — one of the world's most secure, encrypted messaging apps — its core security team to achieve this goal.

But it seems like Apple has taken something of a backward step.

Apple deliberately weakens Backup Encryption For iOS 10

With the latest update of its iPhone operating system, it seems the company might have made a big blunder that directly affects its users' security and privacy.

Apple has downgraded the hashing algorithm for iOS 10 from "PBKDF2 SHA-1 with 10,000 iterations" to "plain SHA256 with a single iteration," potentially allowing attackers to brute-force the password via a standard desktop computer processor.

In iOS 9 and prior versions back to iOS 4, PBKDF2 function generates the final crypto key using a pseudorandom function (PRF) 10,000 times (password iterations), which dramatically increases authentication process time and makes dictionary or brute-force attacks less effective.

Now Bruteforce 2,500 times Faster than earlier iOS Versions

Moscow-based Russian firm ElcomSoft, who discovered this weakness that is centered around local password-protected iTunes backups, pointed out that Apple has betrayed its users by deliberately downgrading its 6 years old effective encryption to SHA256 with just one iteration.

Therefore, a hacker only requires to try a single password once and brute force to find a match and crack the account login, making the entire process substantially less time consuming.

"We discovered an alternative password verification mechanism added to iOS 10 backups. We looked into it and found out that the new mechanism skips certain security checks, allowing us to try passwords approximately 2500 times faster compared to the old mechanism used in iOS 9 and older," Oleg Afonin from Elcomsoft wrote in a blog post today.

Yes, that's right. With iOS 10, it's possible for an attacker to brute force the password for a user’s local backup 2,500 faster than was possible on iOS 9, using a computer with an Intel Core i5 CPU (with 6 million passwords per second).

However, an obvious limitation to this attack is that it can't be performed remotely.

Since the weakness is specific to password-protected local backups on iOS 10, a hacker would require access to your device’s local backup, where the iPhone files are stored.

Elcomsoft is a well-known Russian forensics company that, like market leader Cellebrite, makes money by selling a kit that can hack into iPhones for the purpose of rooting around a target's device.

The OpenSSL Foundation has patched over a dozen vulnerabilities in its cryptographic code library, including a high severity bug that can be exploited for denial-of-service (DoS) attacks.

OpenSSL is a widely used open-source cryptographic library that provides encrypted Internet connections using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) for the majority of websites, as well as other secure services.

The vulnerabilities exist in OpenSSL versions 1.0.1, 1.0.2 and 1.1.0 and patched in OpenSSL versions 1.1.0a, 1.0.2i and 1.0.1u.

The Critical-rated bug (CVE-2016-6304) can be exploited by sending a large OCSP Status Request extension on the targeted server during connection negotiations, which causes memory exhaustion to launch DoS attacks, the OpenSSL Project said.

What is OCSP Protocol?

OCSP(Online Certificate Status Protocol), supported by all modern web browsers, is a protocol designed to perform verification and obtain the revocation status of a digital certificate attached to a website.

OCSP divided into client and server components. When an application or a web browser attempts to verify an SSL certificate, the client component sends a request to an online responder via HTTP protocol, which in turn, returns the status of the certificate, valid or not.

Reported by Shi Lei, a researcher at Chinese security firm Qihoo 360, the vulnerability affects servers in their default configuration even if they do not support OCSP.

"An attacker could use the TLS extension "TLSEXT_TYPE_status_request" and fill the OCSP ids with continually renegotiation," the researcher explained in a blog post.

"Theoretically, an attacker could continually renegotiation with the server thus causing unbounded memory growth on the server up to 64k each time."

How to Prevent OpenSSL DoS Attack

Administrators can mitigate damage by running 'no-ocsp.' Furthermore, servers using older versions of OpenSSL prior to 1.0.1g are not vulnerable in their default configuration.

Another moderate severity vulnerability (CVE-2016-6305) that can be exploited to launch denial of service attacks is fixed in the patch release, affecting OpenSSL 1.1.0 that was launched less than one month ago.

The team has also resolved a total of 12 low severity vulnerabilities in the latest versions of OpenSSL, but most of them do not affect the 1.1.0 branch.

It is worth noting that the OpenSSL Project will end support for OpenSSL version 1.0.1 on 31st December 2016, so users will not receive any security update from the beginning of 2017. Therefore users are advised to upgrade in order to avoid any security issues.

But the question is: How these hacking tools ended up into the hands of hackers?

It has been found that the NSA itself was not directly hacked, but a former NSA employee carelessly left those hacking tools on a remote server three years ago after an operation and a group of Russian hackers found them, sources close to the investigation told Reuters.

The leaked hacking tools, which enable hackers to exploit vulnerabilities in systems from big vendors like Cisco Systems, Juniper, and Fortinet, were dumped publicly online by the group calling itself "The Shadow Brokers."

NSA officials have also admitted to the FBI that their careless employee acknowledged the error shortly afterward, and hence the agency was aware of its operative's mistake from last three years.

But instead of warning the affected companies that their customers were at risk, the NSA maintained the silence.

"After the discovery, the NSA tuned its sensors to detect [the] use of any of the tools by other parties, especially foreign adversaries with strong cyber espionage operations, such as China and Russia," Reuters reports.

Well, that's Bullshit! If they call it a 'tactic.'

Shortly after the public release of NSA cyber weapons, firewall vendors Cisco and Fortinet confirmed that the leaked zero-day vulnerabilities were legitimate and issued out patches to fix those exploits.

We are still waiting for the comments from the NSA, the FBI and the Office of the Director of National Intelligence about the matter.

Since the initial leak of NSA's hacking tools last month and confirmation of the leaked vulnerabilities being legitimate by Cisco and Fortinet, the intelligence agency and online community has been finding out the working exploits in the data dump that are still unknown and used in the wild.

Just recently, Cisco revealed a new zero-day vulnerability from the leaked data dump that had been used by hackers to target some of its customers, which indicates that hackers would likely continue to take advantage of the now-exposed exploits to conduct cyber attacks.

That's how many Yahoo accounts were compromised in a massive data breach dating back to 2014 by what was believed to be a "state sponsored" hacking group.

Over a month ago, a hacker was found to be selling login information related to 200 million Yahoo accounts on the Dark Web, although Yahoo acknowledged that the breach was much worse than initially expected.

"A recent investigation by Yahoo! Inc. has confirmed that a copy of certain user account information was stolen from the company's network in late 2014 by what it believes is a state-sponsored actor," reads the statement.

Yahoo is investigating the breach with law enforcement agency and currently believes that users' names, email addresses, dates of birth, phone numbers, passwords, and in some cases, encrypted and unencrypted security questions-answers were stolen from millions of Yahoo users.

However, the company does not believe the stolen information includes credit card information or any bank details of the affected users.

Yahoo has been criticized for its slow response to the data breach, but it is now in the process of notifying affected customers via emails and asking them to change their passwords, as well as security questions.

At this moment Yahoo did not provide any evidence on why it believed the breach was work of state-sponsored hackers.

Despite millions of people affected by the breach, the biggest victim here seems to be Yahoo itself.

The data breach reports come just as the company is trying to negotiate a deal to sell itself to Verizon for $4.8 Billion. So, if the breach reports negatively impact its share price, even for the time being, it could cost the company and its shareholders a slice of its buyout value.

Over past few months, a large number of data breaches have been reported to plague companies like LinkedIn, MySpace, Tumblr, and VK.com as hackers put up for sale massive data dumps of user credentials stolen earlier in the decade.

Change your Password and Use Password Manager

Needless to say, users should immediately change their Yahoo account password. The company will also be prompting anyone who hasn't changed their password since 2014 to do so now.

"Additionally, Yahoo asks users to consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password altogether," Yahoo suggests.

Also make sure that you also change your passwords on other online accounts if they use the same password, and enable two-factor authentication for online accounts immediately.

And once again, a strong recommendation: Don't reuse passwords.

If you are unable to remember different passwords for each site, you can adopt a good password manager that allows you to create complex passwords for various sites as well as remember them for you.

We have recently listed some best password managers that could help you understand the importance of password managers and help you choose a suitable one, according to your requirement.

It has only been a few days since the launch of Apple's brand new iPhone 7 and iPhone 7 Plus, but it appears that the new iPhone has already been jailbroken.

That didn't take long. Right?

Security researcher and well-known hacker Luca Tedesco shared an image of his jailbroken smartphone on his Twitter account to show off the world that the new iPhone 7 has been jailbroken.

The image posted by Tedesco on Wednesday clearly shows an iPhone 7 running both iOS 10.0.1 as well as the Cydia app store, which allows jailbreakers to install apps and other software that Apple does not officially support.

Unfortunately, Tedesco has not publically released the exploit, nor he has provided much information about it. So, right now, it is hard to say if and when he will release the iPhone 7 jailbreak to the public.

It is also not clear whether the exploit is an untethered jailbreak.

The untethered jailbreak is a jailbreak where your device doesn't require any reboot every time it connects to an external device capable of executing commands on the device.

Eventually, there is no tool available yet that you can use to jailbreak your device, but the good news is that a jailbreak has already been developed, which suggests that it's indeed possible to jailbreak iPhone 7.

So, early buyers looking to jailbreak their iPhone 7 or iPhone 7 Plus and install unauthorized Cydia tweaks have to wait until firms like Pangu or someone else come up with the same exploit.

It seems to one of the latest tactics of cyber criminals to target people by dropping malware-laden USB sticks into their mailboxes, in the hope unsuspecting users will plug the infected devices into their personal or home computers.

The warning, published on the official website of the Victoria Police, one of Australia's state police departments, reads:

"Members of the public are allegedly finding unmarked USB drives in their letterboxes.

Upon inserting the USB drives into their computers victims have experienced fraudulent media streaming service offers, as well as other serious issues [malware].

The USB drives are believed to be extremely harmful and members of the public are urged to avoid plugging them into their computers or other devices."

The warning comes after a recent flood of reports from residents in the suburb of Pakenham who found compromised unmarked drives in their mailboxes and inserted them into their computers.

Although the police did not provide any further detail on the type of malware on the drives or whether the victims were served ransomware demands on running the malicious code on the drives, this is no surprise to us that some people plugged in the drives into their PCs.

Cyber Criminals are Leveraging Human Psychology

A study conducted by a group of researchers from the University of Illinois, the University of Michigan and Google revealed that nearly half of people would not only plug a USB drive they've found on the ground into their PCs, but would also open files and click on unfamiliar links.

The worst part is that people don't make this blunder unknowingly because it has long been known that USB drives can carry and transfer destructive malware and viruses to your computers, perhaps the most infamous example of it was the Stuxnet worm.

The Stuxnet sabotage malware was allegedly designed by the U.S. and Israel to disrupt Iran's nuclear facility and destroyed its uranium enrichment centrifuges in 2010. The infection is believed to have been carried through an infected USB stick.

Keeping this human psychology in mind, just last month a Hong Kong-based company started selling a USB stick, dubbed USB Kill v2, that can fry any computer it's plugged into.

So, next time when you find any USB drive or receive it in the post, show more caution and make sure you don't plug it into your laptop or computer.

In past few months, Microsoft opened the source code of a lot of its projects, convincing people that the company loves Linux.

But a new report shows that Microsoft is not really a big supporter of Linux.

Microsoft has banned Linux on some Windows 10 powered Signature Edition PCs, which provides the cleanest Windows experience on the market.

Signature Edition PCs are different from other systems because it is carefully and meticulously configured by Microsoft to run Windows 10 with no bloatware, paid promotional web shortcuts, or other pre-installed apps, for providing better performance.

But besides bloatware and other pre-installed apps, Microsoft won't allow you to install Linux (or any operating system) on it.

This news is not a rumor as a Reddit user BaronHK reported that he found it impossible to install Linux on the Signature Edition Lenovo Yoga 900 ISK2 UltraBook because Microsoft has locked the SSD in a proprietary RAID mode that can only be read by Windows.

When contacted Lenovo, the company confirmed that it had signed an agreement with Microsoft to make this happen.

"This system has a Signature Edition of Windows 10 Home installed. It is locked per our agreement with Microsoft," a Lenovo employee responded to a comment made by BaronHK about the issue.

Lenovo laptops that are not allowing its users to install Linux include the aforementioned Yoga 900 ISK2, the Yoga 900S, as well as the Yoga 710S.

Some have suggested that the issue that prevents Linux from being installed could be Microsoft decision, while others believe that the issue could be related to how the systems have been configured by Lenovo.

For now, all which is clear is that, if you own a Lenovo Signature Edition laptop, you can not install Linux on it.

Microsoft and Lenovo still have to officially comment on this possible restriction configured for Signature Edition PCs.

No issues, your Wi-Fi router may soon be able to tell how you feel, even if you have a good poker face.

A team of researchers at MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL) have developed a device that can measure human inner emotional states using wireless signals.

Dubbed EQ-Radio, the new device measures heartbeat, and breath to determine whether a person is happy, excited, sad, or angry.

Using EQ-Radio, which emits and captures reflected radio frequency (RF) waves, the team bounced waves off a person’s body to measure subtle changes in breathing patterns and heart rates.

This data was then run through a bunch of algorithms and a machine-learning process programmed to match a person's behavior to how they acted previously, categorizing the person's emotion as one of the four emotional states: Pleasure, Joy, Anger and Sadness.

The impressive part about the technique:

EQ-Radio doesn't require you to wear any sort of monitoring device or on-body sensor.

"The whole thing started by trying to understand how we can extract information about people’s emotions and health in general using something that’s completely passive—does not require people to wear anything on their body or have to express things themselves actively," says Prof. Dina Katabi, who conducted the research along with graduate students Mingmin Zhao and Fadel Adib.

In its test, the team says if their device is trained on each subject separately, it measures emotions with 87 percent accuracy and 72.3 percent accuracy when using a single classifier for all subjects.

EQ Radio uses the same carrier frequency as Wi-Fi, but with about 1,000 times less power, which means the system could be integrated into an existing Wi-Fi router or other devices that transmit and receives wireless signals.

According to the researchers, EQ-Radio, and similar systems may help in some practical situations, like:

movie makers and advertisers could use it to better evaluate people's reactions to their work in real time;

doctors could use it to diagnose mental health conditions like depression or bipolar disorder; and

it could also integrate into smart homes, adjust temperature, lighting, and music automatically to match the user's mood...

...all without the target's knowledge or consent. All it takes is some RF signals mixed with a set of algorithms and a dash of machine learning process.

For more technical details and working of the EQ-Radio device, you can head on to the research paper [PDF] titled, "Emotion Recognition using Wireless Signals."

It's a Fact! No matter how smart the criminals are, they always leave some trace behind.

Two Harvard students have unmasked around 229 drug and weapon dealers with the help of pictures taken by criminals and used in advertisements placed on dark web markets.

Do you know each image contains a range of additional hidden data stored within it that can be a treasure to the investigators fighting criminals?

Yeah it's true — "A picture is worth a thousand words."

Digital images come with basic metadata, as well as EXIF data that contains information about the device with which it was taken.

EXIF, stands for "Exchangeable Image File Format," may contain image dimensions, date and time (when it was originally taken and modified), the model of camera and its settings, information about the software used for editing, it’s creator and copyright information, as well as GPS co-ordinates of the location where the photo was taken.

If a criminal, let’s say a kidnapper, has taken a photo or video of their captive from a GPS enabled phone or camera and send it as proof of life to victim’s family for ransom, the police would be able to trace back the kidnapper to the exact location where photo was taken.

This is exactly what happened in the latest case when Harvard students, Paul Lisker and Michael Rose, collected more than 223,471 unique images from the underground illegal markets and found 229 images with geolocation data.

"In our investigation, we searched for the presence of these geotags in the images of items for sale on darknet market sites," the pair say in a blog post. "Using Python and bash scripts, we checked each image's EXIF data for longitude [and] latitude data, saving the coordinates for each geotagged photo and its file path to a text file."

The duo found 229 images that contained unique GPS coordinates which, unless spoofed, can be used by investigators to locate the places where the photos were taken within the range of two kilometers.

Remember, an anonymous hacker who was arrested by the FBI in 2012 after he posted a picture of his girlfriend's breasts online?

Higinio O. Ochoa III, a.k.a Anonw0rmer, an alleged member of Anonymous-linked CabinCr3w hacking team, who was responsible for hacking into the United States law enforcement agencies and releasing the personal information including phone numbers and home addresses of police officers.

He took picture of his girlfriend's boobs using his iPhone and posted it on Twitter without realizing the picture contained GPS data pointing directly to his house in Melbourne, Australia.

While the majority of metadata in photos is harmless, but removing EXIF data, especially geo-coordinates, is a smart idea, if you are privacy-conscious.

Today many automobiles companies have been offering vehicles with the majority of functions electronically controlled, from instrument cluster to steering, brakes, and accelerator.

These auto-control electronic systems not only improve your driving experience but at the same time also increase the risk of getting hacked.

The most recent car hacking has been performed on Tesla Model S by a team of security researchers from Keen Security Lab, demonstrating how they were able to hijack the Tesla car by exploiting multiple flaws in the latest models running the most recent software.

The team said the hacks worked on multiple models of Tesla and believed they would work across all marques.

"We have discovered multiple security vulnerabilities and successfully implemented remote, aka none physical contact, control on Tesla Model S in both Parking and Driving Mode," Keen writes in a blog post. "We used an unmodified car with the latest firmware to demonstrate the attack."

"As far as we know, this is the first case of remote attack which compromises CAN Bus to achieve remote controls on Tesla cars."

In a YouTube video, the team of Chinese researchers Sen Nie, Ling Liu, and Wen Lu, along with director Samuel Lv, demonstrated how it could remotely take control of a Tesla’s brakes and apply the brakes from 12 miles away by compromising the CAN bus that controls many vehicle systems in the car.

The researchers were also able to remotely unlock the door of the car, take over control of the dashboard computer screen, open the boot, move the seats and activate the indicators and windscreen wipers, as well as fold in the wing mirrors while the vehicle was in motion.

The hack requires the car to be connected to a malicious WiFi hotspot and is only triggered when the car's web browser is used.

The team demonstrated the hacks against a Tesla Model S P85 and Model 75D and said its attacks would work on multiple Tesla models. It was able to compromise the Tesla cars in both parking and driving modes at slow speed in a car park.

Tesla Releases Firmware v7.1 (2.36.31) To Patch It

"Within just 10 days of receiving this report, Tesla has already deployed an over-the-air software update (v7.1, 2.36.31) that addresses the potential security issues. The issue demonstrated is only triggered when the web browser is used, and also required the car to be physically near to and connected to a malicious Wi-Fi hotspot. Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly."

"We engaged with the security research community to test the security of our products so that we can fix potential vulnerabilities before they result in issues for our customers. We commend the research team behind today’s demonstration and plan to reward them under our bug bounty program, which was set up to encourage this type of research."

Thankfully, the vulnerabilities were privately disclosed to Tesla and the company addressed the issues worldwide with an over-the-air software update.

The Keen team said it is Tesla’s "proactive attitude" towards its vulnerability report that made the fix available to its customers within ten days when other automakers required much time and more complex procedures to update vehicles following the major bug exposures.

The team has planned to release details of its hacks in coming days, Keen said on Twitter.